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Summary 

On May 3, 2006, the home of a Department of Veterans Affairs (VA) data 
analyst was burglarized, resulting in the theft of a laptop computer and an external 
data storage device that was reported to contain personal information on more than 
26 million veterans and United States military personnel. The VA Secretary testified 
that he was not informed of the incident until May 16, 2006, almost two weeks after 
the data had been stolen. VA publicly announced the theft on May 22. On June 29, 
VA announced that the stolen laptop computer and external hard drive had been 
recovered intact and that, based on a forensic examination conducted by the Federal 
Bureau of Investigation (FBI), the files on the external hard drive had not been 
compromised. 

Following this data theft, and in light of several ongoing information security 
and information technology management issues at the VA, several legislative 
proposals were introduced in Congress. On July 18, 2006, the House Committee on 
Veterans’ Affairs held a hearing to review these proposals, including its own draft 
bill. On July 19, Chairman Buyer introduced the committee’s draft proposal as the 
Veterans Identity and Credit Security Act of 2006 (H.R. 5835). On July 20, the full 
committee marked up H.R. 5835 and ordered the measure reported out of committee 
by voice vote. H.R. 5835, as amended, would, among other things, create a new 
position of Under Secretary for Information Services in the VA who would also serve 
as the Chief Information Officer (CIO) of the department. The bill would also 
provide credit protection services and fraud resolution services to veterans in the 
event of a data security breach at the VA. Moreover, H.R. 5835, as amended, would 
establish a scholarship program at the VA for recruitment of personnel who are 
pursuing a doctoral degree in cybersecurity. 

This report supersedes CRS Report RS22460, Theft of Veterans’ Personal 
Information, and Department of Veterans Affairs Information Technology 
Reorganization: Issues for Congress, by Sidath Viranga Panangala and Alison M. 
Smith. 



This report will be updated as events warrant. 
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Most Recent Developments 

On July 20, 2006, the House Committee on Veterans’ Affairs marked up and 
ordered to be reported out of committee by voice vote the Veterans Identity and 
Credit Security Act of 2006 (H.R. 5835). H.R. 5835, as amended, would, among 
other things, create a new position of Under Secretary for Information Services in the 
Department of Veterans Affairs (VA) who would also serve as the Chief Information 
Officer (CIO) of the department. The bill would also provide credit protection 
services and fraud resolution services to veterans in the event of a data security 
breach at the VA. Moreover, H.R. 5835 would establish scholarship and student loan 
repayment programs at the VA as a tool for recruiting and retaining cybersecurity 
personnel. The bill is awaiting report to the full House. 



Background 

On May 3, 2006, the home of a VA data analyst was burglarized, and among the 
items stolen were the employee’s personal laptop computer and an external data 
storage device. According to the VA, the information stored on this equipment 
included the names, birthdates, and Social Security numbers of approximately 26.5 
million veterans and their spouses, and as many as 1.1 million active-duty military 
personnel, 430,000 National Guard members, and 645,000 reserve personnel. The 
data theft also included some numerical disability ratings and the diagnostic codes 
that identify veterans’ disability. 1 The analyst was authorized to have access to 
sensitive data in the performance of his duties, and had been routinely taking such 
data home since 2003. 2 



1 U.S. Department of Veterans Affairs, Office of the Inspector General, Review of Issues 
Related to the Loss ofVA Information Involving the Identity of Millions of Veterans (Report 
No:06-02238-163), July 1 1, 2006,p.l, available at [http://www.va.gov/oig/51/FY2006rpts/ 
VAOIG-06-02238-163.pdf], visited July 11, 2006. Ann Scott Tyson and Christopher Lee, 
“Data Theft Affected Most in Military; National Security Concerns Raised,” Washington 
Post , June 7, 2006, Final Edition, p. A01 . 

2 Testimony of Inspector General of the Department of Veterans Affairs, George J. Opfer, 
in the U.S. Congress, House Committee on Veterans’ Affairs, hearing on the Recent Security 
Breach at the Department of Veterans Affairs, in which 26.5 million Veterans Records were 
Stolen from the Home of a VA Employee, 109 th Congress, second session. May 25, 2006. 
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On June 29, during a hearing of the House Veterans’ Affairs Committee, the 
Secretary of Veterans Affairs announced that the laptop computer and external data 
storage device that were stolen from the VA data analyst had been recovered intact 
and that, according to computer forensic examinations performed by the Federal 
Bureau of Investigation (FBI), the data files were not accessed or compromised. VA 
issued a statement on July 14 stating that “the FBI indicated to VA that it has a high 
degree of confidence, based on the results of the forensic tests and other information 
gathered during the investigation, that the sensitive files were not accessed or 
compromised.” 3 VA also announced that it would no longer provide one year of free 
credit monitoring to veterans whose personal information may have been 
compromised due to this theft, but would continue to conduct data breach analyses 
looking across multiple industries to detect patterns of misuse related to the data 
loss. 4 At the same time, the Administration withdrew its request for $160.5 million 
of additional funding for VA to provide credit monitoring services for veterans and 
military personnel affected by the theft and security breach. In its letter to Congress, 
the Administration stated that “on the basis of the FBI’s analysis, credit monitoring 
services and the associated funding will no longer be necessary.” 5 

Since the May 3 data theft, VA has informed both the House and Senate 
Veterans’ Affairs Committees about several additional data breaches. On May 18, 
2006, VA began notifying veterans at the state veterans’ nursing home in Silver Bay, 
Minnesota, regarding the loss of their individually identifiable information (e.g., 
names, birthdates, Social Security numbers, and addresses). During the same month, 
it was also reported that a data tape containing about 16,000 VA legal case records 
had been lost from the Indiana VA regional counsel’s office. These records 
potentially contained identifiable data of veterans and their dependents. Most 
recently, on August 7, VA announced that a subcontractor, hired to assist in 
insurance collections at VA medical centers (VAMCs) in Pittsburgh and 
Philadelphia, had lost a desktop computer containing personal information on some 
veterans. According to the VA, the desktop contained information on approximately 
5,000 patients treated at the Philadelphia VAMC, approximately 11,000 patients 
treated at the Pittsburgh VAMC, and approximately 2,000 deceased patients. 6 VA 
is also investigating the possibility that the computer may have contained information 
on approximately another 20,000 people who received care through the Pittsburgh 
VAMC. 7 



3 U.S. Department of Veterans Affairs, “FBI Highly Confident Recovered Data Has Not 
Been Accessed or Compromised,” press release, July 14, 2006. 

4 U.S. Department of Veterans Affairs, “VA to Conduct Data Breach Analysis; Individual 
Credit Monitoring No Longer Necessary,” press release, July 17, 2006. 

5 Office and Management and Budget (OMB) letter available at [http://www.whitehouse. 
gov/omb/budget/amendments/supplemental8a_7_18_06.pdf], visited on July 18, 2006. 

6 U.S. Department of Veterans Affairs, Office of Public Affairs, “Subcontractor Notifies VA 
of Missing Computer with Vet Files; VA, Law Enforcement Authorities Investigating,” 
press release, Aug. 7, 2006, p. 1. 

7 Ibid. 
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In response to these data breaches, the VA has taken several measures to address 
its information system security vulnerabilities. Noted below are some key actions 
taken thus far: 

• the Secretary’s memorandum to VA employees requiring them to 
complete cybersecurity and privacy awareness training; 

• issuance of VA IT Directive 06-2, which requires supervisory 
approval before the removal of confidential and Privacy Act- 
protected information from a worksite; 

• issuance of VA Directive 6504, restricting the transmission, 
transportation of, and access to VA data outside VA facilities; and 

• the Secretary’s memorandum delegating authority to the Assistant 
Secretary of Information Technology for enforcement of information 
policies and practices. 8 

This report provides a brief overview of information security issues at the VA 
and recent attempts by Congress to reorganize the management of information 
security and technology at the department. It also provides a brief analysis of the 
Veterans Identity and Credit Security Act of 2006 (H.R. 5835), as amended. 



Information Security Issues at the VA 

Recent data breaches at the VA come at a time when the department’s 
information systems are under increased scrutiny. In the past several years, both the 
Government Accountability Office (GAO) and the VA’s Office of Inspector General 
(OIG) have highlighted the VA’s computer security vulnerabilities. In September 
1 998, GAO reported that computer security weaknesses placed critical VA operations 
such as financial management, health care delivery, and benefits payments at risk of 
misuse and disruption. 9 In 1999, GAO reported that the VA’s success in improving 
computer security largely depended on strong commitment and the dedication of 
adequate resources to the information security program plan. 10 In September 2000, 
GAO reported that serious computer security problems persisted throughout the VA 
because the agency had not fully implemented an integrated security management 
program, nor had the Veterans Health Administration (VHA) effectively managed 



8 For a complete list of activities, see U.S. Department of Veterans Affairs, Office of the 
Inspector General, Review of Issues Related to the Loss ofVA Information Involving the 
Identity of Millions of Veterans. (Report No. 06-02238-163) July 11, 2006, pp. 62-64, 
available at [http://www.va.gov/oig/51/FY2006rpts/VAOIG-06-02238-163.pdf], visited 
Aug. 7, 2006. 

9 U.S. Government Accountability Office, Information Systems: VA Computer Control 
Weaknesses Increase Risk of Fraud, Misuse, and Improper Disclosure, GAO/AIMD-98- 175, 
Sept. 23, 1998. 

10 U.S. Government Accountability Office, Information Systems: The Status of Computer 
Security at the Department of Veterans Affairs, GAO/AIMD-00-5, Oct. 4, 1999. 
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computer security at its medical facilities. 11 Furthermore, in testimony before the 
House Committee on Veterans’ Affairs, Subcommittee on Oversight and 
Investigations, GAO stated that “VA continues to report pervasive and serious 
information security weaknesses. Thus far, its actions toward establishing a 
comprehensive computer security management program have not been sufficient to 
ensure that the department can protect its computer systems, networks, and sensitive 
veterans health care and benefits data from unnecessary exposure to vulnerabilities 
and risks.” 12 In its annual audit reports on VA’s information security program, the 
OIG found that VA’s computer system remains vulnerable to unauthorized access 
and misuse of sensitive information and data. In March 2005, VA’s OIG reported 
that it had “identified significant information security vulnerabilities that place VA 
at considerable risk of denial of service attacks, disruption of mission-critical 
systems, fraudulent benefits payments, fraudulent receipt of health care benefits, 
unauthorized access to sensitive data, and improper disclosure of sensitive data.” 13 

In its testimony before the Senate Veterans’ Affairs Committee on July 20, 
2006, the OIG stated that “VA policies, procedures, and practices do not adequately 
safeguard personal or proprietary information used by VA employees and 
contractors.” Furthermore, the OIG “found a patchwork of policies that were 
difficult to locate and fragmented. None of the policies prohibited the removal of 
protected information from the worksite or storing protected information on a 
personally-owned computer, and did not provide safeguards for electronic data stored 
on portable media or a personal computer.” 14 While VA has attempted to fix data 
security vulnerabilities in selected sites identified by the OIG, the agency has not 
fully instituted the recommendations made by GAO and the OIG throughout its 
system. 15 



11 U.S. Government Accountability Office, VA Information Systems: Computer Security 
Weaknesses Persist at the Veterans Health Administration, GAO/AIMD-OO-232, Sept. 8, 
2000 . 

12 U.S. Government Accountability Office, VA Information Technology Progress Made, but 
Continued Management Attention Is Key to Achieving Results, GAO-02-369T, Mar. 13, 
2002 . 

13 U.S. Department of Veterans Affairs, Office of the Inspector General, Audit of the 
Department of Veterans Affairs Information Security Program (Report No. 04 -00772-122), 
not publicly available. This was quoted in the U.S. Department of Veterans Affairs, Office 
of the Inspector General, Major Management Challenges Fiscal Year 2005 (Report No. 
06-00480-26), Nov. 15, 2005, available at [http://www.va.gov/oig/53/reports/VAOIG-06- 
00480-26.pdf], visited June 13, 2006. 

14 Testimony of Inspector General of the Department of Veterans Affairs, George J. Opfer, 
in the U.S. Congress, Senate Committee on Veterans’ Affairs, hearing on VA Data Privacy 
Breach: Twenty-Six Million People Deserve Assurance of Future Security, 109 lh Congress, 
second session, July 20, 2006. 

15 Testimony of Assistant Inspector General for Audit, Department of Veterans Affairs, 
Michael Staley, and testimony of Director of Information Management Issues, U.S. 
Government Accountability Office, Linda Koontz, in the U.S. Congress, House Committee 
on Veterans’ Affairs, hearing on the Recent Security Breach at the Department of Veterans 
Affairs, in which 26.5 million Veterans Records were Stolen from the Home of a VA 

(continued...) 
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VA Information Technology Reorganization 

During the past few years, the House and Senate Veterans’ Affairs Committees 
have drawn attention to shortcomings in the management of VA’s information 
technology (IT) projects, most recently the failure of a pilot implementation of the 
Core Financial and Logistical System (CoreFLS) — integrated financial and logistics 
systems management software — at the Bay Pines Medical Center in Florida. 16 

In the wake of the CoreFLS failure, the VA’s Assistant Secretary for 
Information Technology, in December 2004, contracted with the Gartner Group to 
conduct an organizational assessment of VA IT. The study, delivered in May 2005, 
proposed several options to reorganize the development and management of VA IT 
programs. 

The first option was to keep the existing IT management structure in which VA 
IT resources are operated and managed within a highly decentralized management 
structure. The Department’ s CIO manages a central office staff of approximately 350 
employees and a direct budget of approximately $50 million per year. While the CIO 
is charged with overall responsibility for the successful management of all VA IT 
resources, the CIO has no direct management control or organizational authority over 
any of these resources. The Department’s CIO provides policy guidance, budgetary 
review, and general oversight via indirect supervision of the CIOs of each of the 
VA’s three administrations — the Veterans Health Administration (VHA), Veterans 
Benefits Administration (VBA), and National Cemetery Administration (NCA). 

The second option proposed was the “regional option.” Under this option, VA 
would be divided into three to five geographically based subdivisions. Within each 
of these, a Deputy CIO would control all IT assets and would be responsible for all 
service delivery within that region. These Deputy CIOs would report directly to the 
VA CIO. 

The third option recommended by the Gartner study was the 
“administration-centric option.” Under this option, VA would be divided by 
administration — into the VHA, VBA, and NCA — and a Deputy CIO for each 
administration would control all IT assets and be responsible for all service delivery 
within that administration. These Deputy CIOs would report directly to the VA CIO. 

The fourth option proposed was the “federated option.” Under this option, VA 
would divide operational responsibilities and IT systems development responsibilities 
into separate domains. All IT operational service delivery personnel and the budget 
associated with their support would come under the direct supervision of a national 
organization that reports directly to the CIO’s office. This organization would be 
charged with delivering all IT-related operational services to all elements of the VA 



15 (...continued) 

Employee, 109 th Congress, second session, June 14, 2006. 

16 Opening statement of Senator Larry Craig, in the U.S. Congress, Senate Committee on 
Veterans Affairs, hearing on The Management of Information Technology Resources by the 
Department of Veterans Affairs, 109 th Congress, first session, Oct. 20, 2005. 




http://wikileaks.org/wiki/CRS-RL33612 



CRS-6 



based upon a negotiated and formally agreed-upon set of specific standard IT services 
delivered according to a clearly understood and documented set of service-level 
agreement standards. Under a federated approach, IT systems development and 
management responsibility would remain with the three administrations. The VA 
CIO would maintain overall responsibility for the successful management of these 
resources and continue to provide IT budget oversight, policy, and program 
management direction for the Department. 

The last option recommended was the “centralized option.” Under this option, 
all VA IT personnel resources, assets, and budget would be under the direct 
supervision of the VA’s CIO. In general, this centralized IT organization would be 
charged with delivering all IT-related operational and systems development services 
to all elements of the VA based upon a negotiated and formally agreed-upon set of 
specific standard IT services. 17 

Following a briefing on the Gartner report, VA senior management, in October 
2005, adopted the federated model as the best model to reorganize the management 
of VA IT. As stated earlier, under the federated model, the VA would separate 
operational responsibilities and IT systems development responsibilities into separate 
domains. All IT operational service delivery personnel and the budget associated 
with their support, including all non-medical IT equipment, maintenance, and 
contractor support would come under the direct supervision of the CIO. According 
to the VA, this organizational model will provide all IT-related operational services 
to all elements of the VA, based upon a negotiated and formally agreed-upon set of 
specific standard IT services. The delivery of services would be according to a 
clearly understood and documented set of service-level agreement standards. 18 

However, frustrated by repeated failures in the VA’ s IT management, the House 
Veterans’ Affairs Committee (HVAC) felt that it needed to legislate to transform VA 
IT management. Therefore, at the same time the VA was adopting a federated 
model, HVAC reported the Department of Veterans Affairs Information Technology 
Management Improvement Act of 2005 (H.R. 4061, H.Rept. 109-256) to reorganize 
the management of V A IT programs. The bill mandated that the VA adopt a 
centralized model for IT development and management. It was the view of HVAC 
that the VA should maintain a centralized IT management system to maintain control 
of all IT-related assets, and that a federated model would not optimize IT support and 
service delivery throughout the VA. 19 H.R. 4061 passed the full House on November 
2, 2005. There has been no Senate action on this bill. 



17 Testimony of Deputy Secretary of Veterans Affairs, Gordon H. Mansfield, in the U.S. 
Congress House Committee on Veterans’ Affairs, hearing on the VA IT Infrastructure 
Reorganization and the Role of the CIO, Sept. 14, 2005. 

18 Testimony of Deputy Secretary of Veterans Affairs, Gordon H. Mansfield, in the U.S. 
Congress, Senate Committee on Veterans’ Affairs, hearing on the Management of 
Information Technology Resources by the Department of Veterans Affairs, Oct. 20, 2005. 

19 U.S. Congress, House Committee on Veterans’ Affairs, Department of Veterans Affairs 
Information Technology Managemen t Improvemen t Act of 2005, report to accompany H.R. 
4061, 109 lh Congress, first session, H.Rept. 109-256, p. 5. 
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The House and Senate Appropriations Committees have also expressed concern 
about the management of the VA’s IT program. In its report (S.Rept. 109-105) to 
accompany the FY2006 Military Construction and Veterans Affairs Appropriations 
bill (H.R. 2528), the Senate Appropriations Committee stated its concern “that 
without a single office ultimately responsible for the Department’s numerous 
automation efforts, the vast sums appropriated for this area might not be obligated 
in the most efficient manner.” 20 Moreover, the conference agreement on the FY2006 
Military Construction, Military Quality of Life and Veterans Affairs Appropriations 
Act (H.Rept. 109-305, P.L.109-144) included a provision withholding funding for 
the new Healths Vet- VistA project until the VA receives approval from the House 
and Senate Appropriations Committees on its expenditure plan for the project. 21 



Legislative Proposals on Data Security 

Since VA announced the loss of data, a number of legislative proposals have 
been introduced in both the House and Senate to address some of the issues arising 
from the data theft. These bills have been referred to the House and Senate 
Committees on Veterans’ Affairs. H.R. 5520, which was referred to the House 
Judiciary Committee, would establish the Office of Veterans Identity Protection 
Claims to adjudicate claims for those persons who have suffered losses due to the 
theft. The House Judiciary Committee approved H.R. 5520 by voice vote on June 
21. The committee also approved an amendment to the bill that would authorize $2 
million annually from fiscal years 2007-201 1 to investigate and prosecute individuals 
involved in the security breach, and would allow veterans and active-duty service 
members to file claims for up to two years for reimbursement due to losses resulting 
from the security breach. H.R. 5577 would establish the Office of Identity Protection 
to prevent and mitigate misuse of stolen personal information. H.R. 5487 and H.R. 
5588 would require the VA Secretary to establish safeguards to protect sensitive 
personal information against unauthorized access, and to outline security breach 
notification procedures. H.R. 5455, H.R. 5464, H.R. 5577, and S. 2970 include a 
notification clause. H.R. 5490 would require the Secretary to establish a national 
database of veterans who apply for or receive benefits. H.R. 5467, H.R. 5490, H.R. 
5577, S. 3176, and S. 3486 would impose penalties or liabilities for the unauthorized 
access to or disclosure of personal information. 

Many of the bills would provide affected individuals with credit-monitoring 
services. S. 3176 and S. 3486 would require the Federal Trade Commission, in 
consultation with the VA Secretary, to develop and implement a financial counseling 
program. Other bills (H.R. 5455, H.R. 5464, H.R. 5487, H.R. 5577, H.R. 5588, and 
S. 2970) would also provide free credit monitoring services and/or credit reports. 



20 U.S. Congress, Conference Committees, Military Quality of Life and Veterans Affairs 
Appropriations Act, 2006, conference report to accompany H.R. 2528, 109 lh Congress, first 
session, H.Rept. 109-305, p.56. 

21 Hcalthc'Vct-VistA is the VA’s next-generation health information system, which will 
eventually replace the current Veterans Health Information Systems and Technology 
Architecture (VistA), which is the automated patient record system. 
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Veterans Identity and Credit Security Act of 2006 

On July 18, 2006, the House Committee on Veterans’ Affairs held a hearing to 
review several of these legislative proposals. At the hearing, the committee heard 
testimony on the following bills: the Veterans’ ID Theft Protection Act of 2006 
(H.R. 5487); the Veterans Identity Protection Act of 2006 (H.R. 5577); the 
Comprehensive Veterans’ Data Protection and Identity Theft Prevention Act of 2006 
(H.R. 5588); the Veterans Identity Protection Act (H.R. 5464); and the 
Comprehensive Credit Services for Veterans Act of 2006 (H.R. 5783). The 
committee also heard testimony on a draft proposal drawn up by the committee. On 
July 19, Chairman Buyer introduced the committee’s draft proposal as the Veterans 
Identity and Credit Security Act of 2006 (H.R. 5835). On July 20, the full committee 
marked up H.R. 5835 and ordered the measure to be reported out of committee by 
voice vote. 

H.R. 5835, as amended, would create a new position of Under Secretary for 
Information Services who would also serve as the CIO of the VA, and would 
maintain control of all IT-related assets of the department, including budgets and 
personnel. The bill would require the VA to provide free credit protection services 
to those whose personal, sensitive information is lost, stolen, or otherwise 
compromised while in the possession of the VA. If the measure is implemented, VA 
would have to inform all affected individuals about any data breach, and VA would 
have to contract with credit reporting agencies to provide fraud alert services, and 
provide credit security freezes to affected individuals who request it. Moreover, 
under H.R. 5835, if the Secretary determines — based on an independent risk 
analysis — that a reasonable risk exists for the potential misuse of sensitive 
information involved in a data breach, VA is required to provide additional 
notification to affected individuals informing them about credit protection services. 

The Veterans Identity and Credit Security Act of 2006 includes a provision that 
would establish a scholarship program that would increase VA’ s ability to recruit and 
retain qualified cybersecurity professionals. Under this proposed program, VA 
would pay tuition, fees, and a monthly stipend of $ 1 ,500 to persons who are pursuing 
a doctoral degree in computer science and electrical and computer engineering. 
Furthermore, H.R. 5835 would authorize a student loan repayment program as a 
recruitment mechanism to attract qualified individuals with doctoral degrees in 
computer science and electrical and computer engineering. Under this program, the 
department would pay up to $16,500 a year for five years to eligible employees to 
repay loans related to their doctoral degrees in the above-mentioned fields. 

The Congressional Budget Office (CBO) estimates that implementing H.R. 
5835, as reported, would cost $5 million in FY2007 and approximately $50 million 
over the FY2007-FY201 1 period. Furthermore, CBO estimates that if VA were to 
experience another data breach similar to the data theft that occurred on May 3, 2006, 
the cost could be as much as $1 billion. 22 



22 U.S. Congressional Budget Office, Cost Estimate, H.R. 5835, Veterans Identity and Credit 
Security Act of 2006, July 28, 2006, p. 1 . 




